The challenge:

In mid-sized to large organizations, we often find a need to use dedicated folders for a project that project managers can manage by themselves. Among other things, project managers want to be able to add or remove members or assign or revoke reading and writing privileges. The procedure usually involves the project manager calling IT to request a folder or informing them of changes regarding authorizations and privileges. This results in a call or ticket to which a member of the IT organization must be assigned. The latter will have to perform the task and notify the project manager of the outcome.

But a different approach is possible:

By offering project managers self-service capabilities, they will be able to register projects themselves. Using templates, IT administrators can determine what should happen on NTFS level and in Active Directory. By creating a link with the HRM system, it will be possible, among other things, to check which Active Directory users are the actual project managers. Subsequently, these accounts are authorized to register projects using secure electronic forms (e-forms). These projects are then checked for naming and duplicate records. A project folder can be created on a file server using an intelligent mechanism. This mechanism makes it possible to define a group of file servers and to use the file server with the most available disk space, or to select a random file server from a group. This process would be even simpler with DFS, and in general less intelligence is required in pinpointing an NTFS location. After all, this is handled by DFS for the most part.

After the project folder has been created, local and global groups can be automatically created in Active Directory on the basis of a user-defined naming convention, e.g. G-LG-NTFS-"project"-R or G-LG-NTFS-"project"-C. The local groups are subsequently linked to the global groups and assigned read and change privileges for the project folder. After completing the electronic form, the project manager will receive notification that the directory has been created, so that he or she can directly continue with the next form and add members to the project folder along with reading and/or writing privileges. In actual fact, a modification of the Active Directory groups created earlier is made in the background. For the project manager however, this is no longer relevant.

Want to know more? Check out organizational delegation and self-service for UMRA.

There are often three scenarios to consider when tackling Identity Management: new hires, transfers and departures. Invariably, the onboarding process for a new employee is given the highest priority and emphasis. After all, most organizations do want to ensure new employees can be productive from the get-go. Transfers are often given a lower priority though it all depends on the organization’s maturity level with regard to security and role management.

However, departures are also very important, particularly when it comes to security, license costs and database pollution in IT environments. There can also be an urgent need to shut down accounts and to revoke privileges when disgruntled employees leave the company. However, we can distinguish a difference in priority between directly shutting down user accounts and the eventual cleanup of resource data.

An important aspect to consider is the moment an employee leaves service. Invariably, this information is stored in an HRM system or payroll suite as an organization is sure to discontinue the employee’s salary payments. However, this information all too seldom reaches IT. In many cases, IT will launch its own cleanup initiatives after an internal investigation (last login on the network).

A number of examples are given below of scenarios we have implemented for customers:

Before the employee leaves service:

• Send an e-mail notification to the employee and his or her manager 2 weeks before the contract expires. This notification should indicate which action should be taken and when the user accounts and privileges will be revoked.
• Send an additional notification during the last 2 days before expiration of the contract.

The day the employee leaves the company:

• Block (disable) the login in Active Directory. It is also possible to leave the account active and to exclusively allow login to a non-existing workstation. In this way it will still be possible to access resources such as the Exchange mailbox.
• Migrate the account to a special OU.
• Revoke group memberships with the exception of distribution groups (to prevent NDRs to distribution groups).
• Optionally, stall the blocking of the account for x amount of days if employees are offered a grace period.
• Transfer mail and data privileges to another user, e.g. a manager. You can do so by assigning/overwriting privileges or by copying these resources to the manager’s environment in their entirety.
• Create a closed call in helpdesk system, such as Track-It, with a description of the account block.
• Downstream provisioning: block the user in application X.

After a certain blocking period:

• Delete the account.
• Migrate the associated data (home directory, profile, terminal server home directory and/or profiles), to an archive folder.
• Export the Exchange mailbox to a PST file and save it on an archive server.
• Completely remove all mail and data (optional).

It is possible to have these scenarios carried out in an automated and phased way. Alternatively, parts of these scenarios could also be performed manually through the use of electronic forms. For instance, it is common to have the notification and blocking performed automatically but to perform the definitive removal manually by having a user click a Remove button.

Would you like to know more about how UMRA can help you maintain a clean data visit our website: www.tools4ever.com